Pages

Saturday, March 17, 2012

SSIS Package Protection Level

Each SSIS component designates that an attribute is sensitive by including Sensitive="1" in the package XML.
An OLE DB Connection Manager specifies that the database password is a sensitive attribute as follows:
<DTS:Password DTS:Name="Password" Sensitive="1"></DTS:Password>

An DYNAMICS-CRM Connection Manager specifies that the database password is a sensitive attribute as follows:
<ServerPassword Sensitive="1"></ServerPassword>

Click anywhere in the design area of the Control Flow tab in the SSIS designer to show the package properties
When the package is saved, any property that is tagged with Sensitive="1" gets handled per the ProtectionLevel property setting in the SSIS package.
DontSaveSensitive - When the package is saved, sensitive values will be removed. This will result in passwords needing to be supplied to the package, through a configuration file or by the user.

After saving the package using this setting, when you open it up and edit the OLE DB Connection Manager, the password is blank even though the Save my password checkbox is checked: 


EncryptSensitiveWithUserKey -  This will encrypt all sensitive data on the package with a key based on the current user profile. This sensitive data can only be opened by the user that saved it.

<DTS:PASSWORD Sensitive="1" DTS:Name="Password" Encrypted="1">AQAAANCMnd8BFdERjHoAwE/Cl+...</DTS:PASSWORD> 

It another user opens the package, all sensitive information will be replaced with blanks. This is often a problem when a package is sent to another user to work on.





EncryptSensitiveWithPassword - Sensitive data will be saved in the package and encrypted with a supplied password.

Every time the package is opened in the designer, you will need to supply the password in order to retrieve the sensitive information. If you cancel the password prompt, you will be able to open the package but all sensitive data will be replaced with blanks. This works well if a package will be edited by multiple users.

EncryptAllWithPassword - This works the same as EncryptSensitiveWithPassword except that the whole package will be encrypted with the supplied password. When opening the package in the designer, you will need to specify the password or you won’t be able to view any part of the package.

EncryptAllWithUserKey - This works the same as EncryptSensitiveWithUserKey except that the whole package will be encrypted. Only the user that created the package will be allowed to open the package.

ServerStorage - This option will use SQL Server database roles to encrypt information. This will only work if the package is saved to an SSIS server for execution.

No comments:

Post a Comment